What are BCRs?
Binding corporate rules (BCRs) are internal data protection rules that govern transfers of personal data within a group from EEA entities to entities located outside the EEA (third countries).
This article was updated 23 May 2022.
These rules contain general data protection principles and allow for a right of action by a data subject against the group for failure to comply with the rules. As a package, BCRs can provide the appropriate safeguards to govern all data transfers in a group pursuant to the GDPR.
There are two types of applications: (1) BCRs for controllers: suitable for transfers of data that the group is ultimately responsible for, and (2) BCRs for processors: suitable for transfers within a group where the group is acting as processor for other controllers, generally customers.
Advantages of BCRs
The BCR approval process is rigorous. Therefore groups that implement BCRs are rewarded with both a strong and accountable framework for intra-group transfers.
BCRs also provide a significant degree of flexibility as a means of data transfer. While BCRs can easily absorb changes to a group’s corporate structure, cumbersome intra-group data transfer agreements with standard contractual clauses must be reviewed, and often updated to reflect any structural or data flow changes.
An applicant organisation will submit the BCR application to their chosen lead supervisory authority in the EU (which can no longer include the UK ICO). Once the BCRs are reviewed and commented on by the lead supervisory authority, they are circulated to two co-reviewing supervisory authorities for further review and comment. Next, a committee consisting of the lead supervisory authority, one or both co-reviewers, an independent supervisory authority and a member of the European Data Protection Board (EDPB) secretariat will provide their comments which will be incorporated into a final version of the BCRs. This final version is submitted to the EDPB. While all supervisory authorities technically have the right to comment in this final review period, in practice further comments are unlikely. Finally, the EDPB will issue an opinion on the decision to approve the BCRs after which the lead supervisory authority will authorise the group to make intra-group data transfers subject to the approved BCRs.
Tips for BCR applications
In order to streamline the application process, we recommend applicant organisations:
- Stick to the language in the relevant BCR guidance documents. Amending language can be seen by supervisory authorities as an attempt to reduce the level of protection even if this is not the aim.
- Set out in detail how the organisation will audit compliance with the BCRs. Audit plans should have sufficient detail for the supervisory authorities to understand the scope and frequency of the audit and importantly how audit results will be reviewed and acted upon.
- Evidence the binding nature of the BCRs on employees and companies. Failure to comply with the BCRs as an employee and as a company must have real consequences.
- Develop a contingency plan should any employee involved in the application process leave the project. One major cause of delay in this process is employee turnover. Management buy-in will counter this delay, as will nominating a point of contact for those working on discrete elements of the application.
Implications of Schrems II on BCRS
The recent Schrems II decision (see our briefing on the ruling here) invalidated the EU-US Privacy Shield as a means of data transfers between the EU and US. Thankfully, groups may still rely on BCRs and standard contractual clauses as valid transfer mechanisms. However, data exporters and data importers alike must consider whether BCRs and standard contractual clauses on their own provide a level of “essentially equivalent” protection in light of the third country’s legal regime. If not, supplemental measures must be put in place to reach this threshold of “essentially equivalent” protection. Helpfully, BCRs have certain built-in supplemental measures including a reporting procedure in relation to data access requests from foreign law enforcement or national security bodies and a robust procedure for data subject claims.
The EDPB is currently updating its guidance for BCRs to account for the Schrems II decision.
Standard Contractual Clauses
Standard Contractual Clauses (SCCs) are model contract clauses that have been “pre-approved” by the European Commission. While BCRs apply to inter-group transfers of data, SCCs apply to transfers of data outside of a company. On 4 June 2021, the Commission issued new SCCs for data
transfers from controllers or processors in the EU/EEA to controllers or processors established outside the EU/EEA (and not subject to the GDPR).
A full discussion of the new SCCs and their application is available here. However, it is important to note that by 27 December 2022, data transfer agreements based on the old SCCs must be replaced by the new SCCs.
Implications of Brexit on BCRs
From 1 January 2021, the UK ICO is no longer a recognised supervisory authority under the GDPR and therefore cannot act as a lead supervisory authority for the BCR approval process. The EDPB issued an information note in July 2020 to address what this means for UK-based groups.
For BCRs already approved by the ICO under the GDPR, a new supervisory authority in the EEA will have issued a new BCR approval decision (following an EDPB opinion) before 1 January 2021. Failure to secure a new approval before 1 January 2021 means a group will no longer be able to rely on their BCRs as a valid transfer mechanism for transfers of data outside the EEA. There is the possibility of an EU-US agreement on transfer mechanisms in the future, which we will report on as information becomes available.
Companies seeking to maintain or apply for BCRs under the UK system fall into three categories:
- Existing BCRs which were approved by the ICO as the lead supervisory authority have been eligible for transfer to the UK system since 1 January 2021;
- BCRs that were not approved by the ICO as the lead supervisory authority need to be UK localized. Applications for transfer closed on 30 June 2021; and
- New applicants must apply using UK guidance documents.
The latest update on BCRs from the ICO, published in December 2021, is available here.
The BCR approval process is rigorous and involves a full examination of a group’s data protection practices and documentation. The time period for approval can take anywhere from 18 months for well-managed applications to 24 months. This period will also depend on the work load of the lead supervisory authority. Groups that wish to apply for BCRs should plan ahead and leverage existing privacy programs where possible in order to reduce approval time.